As mentioned in https://github.com/PowerShell/PowerShell/issues/5274, the AzureAD module is not compatible with Linux.107 votes
This is in the works, hoping to be able to release a new version in the next couple of weeks that supports running on Linux (and Mac)
Emulating the Intune Roles method with Assignments, Members and Scopes would be ideal. Also the ability to disable Global Admin access (limit to groups/scopes added).103 votes
Thanks for your feedback. This is currently under review, we will update the status when we finalize the schedule
Deliver a roadmap which shows what functionality is planned and under review.103 votes
Hi all, unfortunately we don’t have plans to share out a public roadmap. This is constantly changing as we’re listening to customer requests. We will continue to update feedback.azure items as they come up so feel free to suggest anything you are curious about.
One Time Password access to the DirectAccess user tunnel using MFA102 votes
Please provide more details. DirectAccess is an on-premises technology and as such may not fall into Azure Active Directory.
There should be CORS setting available on App Proxy just like we have the CORS available for App Services.
Making calls from Azure Apps into an Azure App Proxy App is a very common scenario, especially when on-prem applications are surfaced externally using App proxy.101 votes
We’ve hit some roadblocks in our design for this feature and will need to re-evaluate options. To help us validate the scenarios we need to address, please continue to share feedback. We will update in the next couple months once we have a better idea of our timeline and approach.
Would be great to be able to add groups to application owners in AD instead of only users. Scenario is to use on-prem AD synced with Azure to keep management of application roles/groups/etc on-prem for cloud hosted solutions.
Would be helpful so we know who to target to get them registered within our organization100 votes
Hi folks! This feature is still in progress and will go to public preview soon. I will update this request once it’s in public preview. I apologize for the delay – we know how important this is!
Allow the ability to set different password complexities for local accounts in a B2C tenant.97 votes
We have a private preview of this feature available. If you are interested in joining, please contact email@example.com with the name of your tenant.
We have around 200 locations that use dynamic IP addresses that change frequently. We have the ability to pull the public IP addresses via REST API/PowerShell, but there is currently no way to update the Named Locations list programmatically. Without PowerShell, we are forced to manually dump the list to a CSV and upload the new file.
We would like to have the ability to add, remove, update Named Locations and entries in the IP Ranges of a Named Location.95 votes
We’ve begun this work.
AADB2C supports either email addresses or usernames for accounts. If a directory uses usernames, you don't get that username as a claim in the JWT. This means an extra trip to Azure must be made to retrieve the username. Please consider including the username in the JWT.93 votes
This is currently not on our roadmap. You can retrieve this value by making a call through the Graph API. If this is needed for your scenarios, please continue voting and we will review at a later date.
Its great that SSPR can now be invoked from the login screen. This however seems like a relatively minor benefit to the average user since most have a mobile device with which they can follow the flow. I don't mean to demean the achievement since its definitely needed. However, what is a major issue (and which generates just as many support issues (and erodes IT credibility) as no SSPR at all) is the lack of SSPR for cached credentials when users are off the network/VPN. This happens to be the most common use case we see and is vital we get addressed. As it stands we'll have to look for third party tools to assist us.
Its great that SSPR can now be invoked from the login screen. This however seems like a relatively minor benefit to the average user since most have a mobile device with which they can follow the flow. I don't mean to demean the achievement since its definitely needed. However, what is a major issue (and which generates just as many support issues (and erodes IT credibility) as no SSPR at all) is the lack of SSPR for cached credentials when users are off the network/VPN. This happens to be the most common use case we…91 votes
Hey folks! Thank you for your feedback. We are reviewing this ask and will keep you up to date on our findings. We have also added information about this limitation in our documentation. Thank you!
You recently implemented the password reset from the Windows 10 logon screen. However, the possibility of unlocking the user when they remembered the password was lacking.
I remember that this functionality already exists through the MIM or Azure reset link.90 votes
Hi folks! Thank you for your feedback. We don’t yet have plans to release this feature, but we are still considering it. We will update you if anything changes.
I would like to be able to block ALL sign-ins from anonymous IP addresses.90 votes
This feature work is planned, but hasn’t started yet.
It would be beneficial to get a notification when license count gets to x number. We are syncing our users with DirSync and apply licenses based on group membership. When users get synced and we have no licenses, I have zero idea until someone comes to me that they cannot get logged in to O365.89 votes
Would be great if there was a recover-msoldevice cmdlet or some way to recover a bitlocker recovery key after a device was deleted.89 votes
The Sign-in only policy allows the user to go directly to the password reset.
The Sign-in/Sign-Up does not allow this. The user gets redirected back and you have to handle AADB2C90118.
While this flow is useful for some people the opposite is also true. Please allow me to specify the password reset policy in my sign-in/sign-up policy so the round trip is not required if I don't want it.87 votes
We have started working on this feature and hope to have another update by Oct 2018.
Currently, I can migrate user accounts from an existing database to Azure AD B2C. However, it only accepts unhashed passwords, which is completely useless for any modern system, which should ONLY be using hashed and salted passwords. What would actually make this feature useful is to include fields for hashed password, hash algorithm (any of several standard ones), salt and salt method (i.e., appended, prepended, etc).87 votes
This is not planned for the next 6 months. If this is needed for your scenario, please continue voting and we will re-evaluate at a later.
Consider adding support for disabling user accounts in Azure Active Directory when the account is expired in the local Active Directory. Currently you recommend that customers create a PowerShell script that disable user accounts in Active Directory to support this scenario.
I would prefer that a rule be added to Azure Active Directory Connect that automatically changes AccountEnabled to false, if the users account expires in the local Active Directory.
Aaron posted a great workaround solution:
We would like something built-in Active AD Connect that solves this out of the box85 votes
We are currently investigating how to implement this. The expiration status is not a directory attribute so it is not straight forward how to sync it.
We use Airwatch for managing mobile devices. We want to use conditional access policies to ensure the device has been marked as compliant by Airwatch before allowing access to certain applications.
Currently Azure AD Conditional Access Policies only supports InTune for checking device compliance as described @ https://docs.microsoft.com/en-us/azure/active-directory/active-directory-conditional-access-policy-connected-applications#trusted-devices. This should be extended to support 3rd party EMM solutions.84 votes
We have over 12,000 users we need to provision for MFA.
I know we can enable MFA via PowerShell, but there doesn't seem to be a way to update the "StrongAuthenticationUserDetails" attribute (Alt. Phone, Email, etc.) programmatically.
This is turning out to be a huge pain for us. Does anyone have a timeline for when we'll be able to do this?84 votes
- Don't see your idea?